In July 2020, a handful of Twitter employees received phone calls from people claiming to be IT administrators. Those calls led to the compromise of 130 high-profile accounts — including Barack Obama, Elon Musk, and Apple — and a Bitcoin scam that netted over $100,000 in hours. The whole thing started with a phishing attack. Not a sophisticated zero-day exploit. Not a nation-state hacking tool. A phone call and a fake login page.
If you've ever searched for the definition of a phishing attack, you've probably found sterile textbook language that doesn't prepare you for what these attacks actually look like in the wild. This post gives you the real definition, breaks down the major variants, walks through actual incidents, and tells you exactly what to do about it — whether you're protecting yourself or an entire organization.
The Real Definition of a Phishing Attack
Phishing is a social engineering attack where a threat actor impersonates a trusted entity to trick a victim into revealing sensitive information, clicking a malicious link, or executing an action that compromises security. That's the definition of a phishing attack in one sentence.
But here's what that definition misses: phishing works because it exploits trust and urgency, not technology. The attacker doesn't need to break through your firewall. They need one employee to believe an email is from Microsoft, enter their credentials on a fake page, and hand over the keys to your network.
According to the FBI's 2020 Internet Crime Report, phishing was the most reported cybercrime in the United States, with 241,342 complaints. That number more than doubled from the year before. The financial losses tied to phishing, social engineering, and business email compromise exceeded $4.2 billion.
Why Textbook Definitions Fall Short
Most definitions frame phishing as "fraudulent emails designed to steal passwords." That was accurate in 2005. In 2021, it barely scratches the surface.
Modern phishing campaigns use SMS messages (smishing), voice calls (vishing), QR codes, social media DMs, collaboration platforms like Slack and Teams, and even calendar invites. The Twitter breach I mentioned? That was vishing — voice phishing — combined with a credential theft page. No email involved at all.
I've seen organizations that trained employees exclusively on email phishing get blindsided by a text message campaign impersonating their CEO. If your definition of a phishing attack is too narrow, your defenses will be too.
The Anatomy of a Phishing Attack: Step by Step
1. Reconnaissance
The threat actor researches the target. LinkedIn profiles, company websites, press releases, social media — all of it provides the raw material for a convincing attack. They learn who your CFO reports to, which vendor handles your payroll, and when your fiscal year ends.
2. The Lure
The attacker crafts a message designed to trigger an emotional response. Fear ("Your account has been suspended"), urgency ("Wire transfer needed by 3 PM"), curiosity ("See your performance review"), or authority ("This is the CEO, I need this handled now"). The message impersonates someone or something the victim trusts.
3. The Hook
The victim clicks a link, opens an attachment, or responds with sensitive information. Credential theft pages are the most common hook — pixel-perfect replicas of Microsoft 365, Google Workspace, or banking login pages. The victim enters their username and password, and the attacker harvests them in real time.
4. Exploitation
With stolen credentials, the attacker logs into the victim's account. From there, they can move laterally through the network, deploy ransomware, exfiltrate data, set up email forwarding rules to intercept future communications, or launch secondary phishing attacks from the compromised account — which now appear even more legitimate.
5. Monetization
The attacker profits through wire fraud, ransomware payments, selling stolen data on dark web markets, or leveraging access for long-term espionage. The 2021 Verizon Data Breach Investigations Report found that 36% of all data breaches involved phishing — making it the single most common attack vector.
The 6 Types of Phishing You Need to Know
Standard Email Phishing
Mass-distributed emails impersonating brands like Microsoft, Amazon, DHL, or DocuSign. These cast a wide net. Low effort per target, high volume. Most spam filters catch many of them, but enough slip through to remain devastatingly effective.
Spear Phishing
Targeted attacks aimed at specific individuals. The attacker uses personal details to craft a convincing message. This is what hit RSA Security in 2011, when an employee opened a spreadsheet titled "2011 Recruitment Plan" attached to a spear phishing email. That single action led to the compromise of RSA's SecurID tokens — affecting defense contractors worldwide.
Whaling
Spear phishing aimed at executives: CEOs, CFOs, board members. The stakes are higher, and so is the attacker's preparation. Whaling attacks frequently impersonate legal counsel, auditors, or regulators to create pressure and urgency.
Business Email Compromise (BEC)
The attacker compromises or spoofs an executive's email account and instructs someone in finance to wire money. BEC accounted for $1.8 billion in losses in 2020, according to the FBI IC3. It's the most financially damaging form of phishing by a wide margin.
Smishing and Vishing
Phishing via SMS or phone calls. Smishing often impersonates banks, delivery services, or two-factor authentication prompts. Vishing uses real human interaction to build rapport and extract information. The 2020 Twitter breach was a textbook vishing operation.
Clone Phishing
The attacker takes a legitimate email the victim previously received — maybe from a real vendor or colleague — and resends it with the links or attachments swapped for malicious versions. It's extremely convincing because the victim recognizes the content.
What Makes Phishing So Effective in 2021?
Three factors are driving the current phishing epidemic.
Remote work. The massive shift to remote work in 2020 and 2021 dissolved the physical security perimeter. Employees access corporate systems from home networks, personal devices, and coffee shops. They can't lean over to a colleague and ask, "Did you send this?" Isolation makes people more vulnerable to social engineering.
Cloud migration. As organizations move to Microsoft 365, Google Workspace, and other cloud platforms, a single set of stolen credentials can give an attacker access to email, file storage, collaboration tools, and more. Credential theft is now the primary objective of most phishing campaigns.
Sophistication. Phishing kits — pre-built toolkits sold on dark web marketplaces — let even low-skill attackers launch polished campaigns. Some kits include real-time session hijacking that can bypass multi-factor authentication. The barrier to entry for threat actors has never been lower.
How to Actually Protect Your Organization
Deploy Multi-Factor Authentication Everywhere
MFA is the single most effective control against credential theft. Even when a phishing attack captures a password, MFA adds a second barrier. According to CISA, MFA can block over 99% of automated credential attacks. It's not bulletproof — advanced phishing kits can intercept MFA tokens in real time — but it dramatically raises the cost of an attack.
Run Phishing Simulations Regularly
Testing your employees with realistic phishing simulations is the most direct way to measure and improve your human defense layer. Not once a year. Monthly or quarterly. Vary the lure types — email, SMS, voice. Track who clicks, who reports, and where the gaps are. Our phishing awareness training for organizations gives you a structured program to build this capability into your security operations.
Build a Zero Trust Architecture
Zero trust means no user or device is inherently trusted, even inside the network. Every access request is verified. This limits what an attacker can do with stolen credentials because lateral movement is constrained by continuous authentication and authorization checks. Zero trust isn't a product — it's a design philosophy applied across identity, network, and data layers.
Implement Email Authentication Protocols
SPF, DKIM, and DMARC are email authentication standards that make it significantly harder for attackers to spoof your domain. If you haven't configured DMARC with a "reject" policy, your brand is likely being used in phishing campaigns targeting your customers, partners, and employees. Check your domain today.
Invest in Ongoing Security Awareness Training
One-time annual training doesn't work. Security awareness must be continuous, relevant, and engaging. I've watched organizations cut phishing click rates by 70% over 12 months with consistent, well-designed programs. The key is making it practical — showing employees real examples, not just reading policy documents at them. Start with our cybersecurity awareness training program to build a strong foundation across your workforce.
What Should You Do If You Fall for a Phishing Attack?
This happens. Even to security professionals. What matters is the speed of your response.
- Immediately change your password for the compromised account and any other account using the same credentials.
- Enable or reset MFA on the affected account.
- Report the incident to your IT or security team. Every minute you wait, the attacker extends their foothold.
- Check for email forwarding rules — attackers frequently add rules to silently redirect incoming messages.
- Scan for malware if you opened an attachment or downloaded a file.
- Monitor financial accounts if banking or payment information was exposed.
- Preserve evidence — don't delete the phishing email. Your security team needs it to analyze the attack and protect others.
If your organization experiences a business email compromise involving wire fraud, file a complaint with the FBI's Internet Crime Complaint Center (IC3) immediately. The FBI's Recovery Asset Team has successfully frozen fraudulent transfers when reported within 72 hours.
The Definition of a Phishing Attack Keeps Expanding
Five years ago, I could define phishing in terms of deceptive emails. Today, that definition encompasses voice calls, text messages, social media manipulation, compromised collaboration tools, deepfake audio, and supply chain attacks that poison legitimate software update channels.
The core principle hasn't changed: a threat actor manipulates human trust to bypass technical controls. But the delivery methods, the sophistication, and the scale have all accelerated. The organizations that survive are the ones that treat phishing as a persistent, evolving threat — not a checkbox on a compliance form.
Your firewall doesn't stop an employee from typing their password into a fake login page. Your endpoint detection doesn't trigger when someone wires $200,000 to a fraudulent account because their "CEO" asked them to. The human layer is your most targeted attack surface, and it requires deliberate, sustained investment in training, simulation, and process controls.
Start building that defense now. Enroll your team in phishing awareness training and pair it with a comprehensive cybersecurity awareness program that covers the full spectrum of social engineering threats your people face every day.